EUVD-2026-27517
GHSA-3c93-g9g6-p5j4
Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying targeted Name and Org parameters via a network request.
AnalysisAI
Authorization bypass in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows authenticated low-privilege users to retrieve complete ACL policies, roles, and permissions for any user across all organizations by supplying targeted Name and Org parameters. The vulnerability affects any organization running vulnerable versions where users have valid authentication credentials, enabling privilege escalation through unauthorized access to sensitive authorization metadata.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the following specific conditions: (1) the attacker must have valid Velociraptor authentication credentials (any low-privilege user account), (2) the GetUserRoles gRPC endpoint must be accessible over the network (standard gRPC port 8001 or configured alternative), (3) the attacker must know or enumerate valid user Name and Org parameter values to query, and (4) the target organization must not have network-level access controls blocking gRPC calls from the attacker's position. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 5.0 with network vector (AV:N), low complexity (AC:L), and low privileges required (PR:L) indicates moderate real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated low-privilege Velociraptor user (e.g., analyst with read-only forensics access) crafts a gRPC request to the GetUserRoles endpoint with the Name and Org parameters set to target an administrator or user from a different organization. The endpoint returns the complete ACL policy including role definitions, permission assignments, and organization-level access controls for the targeted user. … |
| Remediation | Upgrade Velocidex Velociraptor to version 0.76.5 or later, which includes authorization checks in the GetUserRoles endpoint to validate that the requesting user can only retrieve ACL policies for users within their authorized scope. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Vendor StatusVendor
SUSE
Severity: Low| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today